Update: The PoC links stopped working earlier this afternoon. By all accounts the problem is fixed. Shortly after we noticed the fix, we got this from Microsoft.
TechNet vulnerable to Cross-Site Scripting.
"To answer your questions, Microsoft is aware of a reported vulnerability in the TechNet Script center Gallery. As soon as we became aware of the report, we launched an investigation. Our engineers have completed the investigation and addressed the reported vulnerability. The company is currently unaware of any customer impact resulting from this report."
Original Aritcle:
Researchers have discovered a security vulnerability in on one of the most used technical resources online, Microsoft’s TechNet. The vulnerability, a Cross-Site Scripting (XSS) flaw, resides in the TechNet Script Center Gallery, and as of this morning was fully exploitable.
TeamElite, the group behind XSS disclosures on sites ran by the WHO, Playboy Romania, TwitterCounter.com, The New York Times, AVG Bulgaria, Telegraph.co.uk and others, posted their TechNet discovery and PoC code on Monday. [Source]
The images below show the vulnerability in action.
As of this morning (7:30 a.m. EST), the following links were still valid as examples. [PoC 1] [PoC 2]
The oddity in all of this is that it looks like Microsoft didn’t use their own tools. In September, anti-XSS 3.1 was released in addition to the BinScope Binary Analyzer and the MiniFuzz File Fuzzer as part of Microsoft’s SDL (Security Development Lifecycle) initiative.
So what are XSS attacks and what do they mean?
“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page,” explains the OWASP guide on Cross-Site Scripting.
XSS vulnerabilities are, according to a recent WhiteHat Security report, one of the most visible design flaws online, after SQL Injection (SQLi). WhiteHat’s data is backed by a SANS report that said attacks against web applications account for more than 60-percent of the attack attempts seen online.
Vulnerabilities, such as SQLi and XSS, accounted for more than 80-percent of the problems observed in open-source as well as custom applications, SANS said. The two vectors of attack are linked by criminals, who will compromise a web application and use it to distribute client-side software exploits. Yet, web applications and client-side software take a back seat when it comes to security planning.
While the TechNet flaw is serious, it only proves to show that any web application is exposed unless it is completely checked. Even Microsoft agrees.
“No matter how strong the security of your server is, if the applications that it hosts are not programmed according to best security practices, your network might be vulnerable to attacks. As part of a defense-in-depth strategy, IIS administrators should work with developers to ensure that the code hosted on the server running IIS is as secure as possible. For example, developers can reduce the risk of certain types of attacks, such as cross-site scripting and SQL injection, by validating user input.” - TechNet note for IIS 6.
Microsoft has been notified, and we have asked them for any comments or statements. If they respond we’ll update this article.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story